Re: Mozilla Firefox 16.0.1 Final

Thanks for that.

quote:When the user browses to the attackers web page, a Javascript on that page opens a new browser window with a Twitters lists URL (»twitter.com/lists). If the victim is signed in to Twitter, then the window is automatically redirected by Twitter to the victims personal lists page and the URL now contains the victims personal twitter ID (e.g. »twitter.com/Imperva/lists). The attackers Javascript now queries the new window for its URL by using the location object. On previous versions, the same origin policy had failed such requests.

However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victims Twitter ID in this case.

So that's why the POC didn't work for me when I tried it. I don't twit!(Now I might just sign up for Twitter just to see what it does, nah.)